For Home

Virus Profile: W97M/Lami

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/26/2002
Date Added: 9/6/2002
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4072
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Macro warning disabled.
- The above messages displayed.
- The following files deleted from infected document directory between 28th December and 3rd January :

  • *.sys
  • *.drv
  • *.dll
  • *.dos

Methods of Infection

Opening an infected document will directly infect the local Word environment and any document opened thereafter.
   

Virus Characteristics

This threat is detected as W97M/Generic. The virus contains two modules - ThisDocument, Kamilla and a form - frmAbout. On opening the infected document, the virus will replace text with

"Kamila"" atacks"
Your word processor is infected.
Code written by Otto Gutenberg.
Almaty, 2001

The virus will then change the user details in File/Properties/Summary Info - Author = "Otto von Gutenberg", Subject = "Kamila atacks your word processor" and Comments = "CAUTION: Don't open". On any day between 28th December and 3rd January, the virus will change Word Application caption to "Merry Christmas!!! Nice holidays for you". Word's macro protection will also be disabled.

The virus will also display the message Happy new Year!!! Have a nice holiday, and delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos . If the day is 16th December, the virus will cause the machine to exit windows. W97M/Lami exports its code to C:\kamila.dll, C:\kama.dll and C:\kamafrm.dll. These files are not infected.

Tools/Macro displays the message "Your word processor is infected" and exits Windows. Tools/Visual Basic Editor will also delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos .

   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)